@wopr-network/platform-core 1.42.0 → 1.42.1

package/dist/api/middleware/get-client-ip.d.ts

@@ -4,11 +4,20 @@ import type { Context } from "hono";
  * Returns an empty set if the value is undefined or empty.
  */
 export declare function parseTrustedProxies(envValue: string | undefined): Set<string>;
+/**
+ * Check whether an IPv4 address is in an RFC 1918 private range or loopback.
+ * These are always behind a proxy in production (Docker, k8s, cloud VPCs)
+ * so trusting X-Forwarded-For from them is safe and expected.
+ *
+ * Ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8
+ */
+export declare function isPrivateIp(ip: string): boolean;
 /**
  * Determine the real client IP.
  *
- * - If `socketAddr` matches a trusted proxy, use the **first** (leftmost)
- *   value from `X-Forwarded-For` (the original client IP).
+ * - If `socketAddr` matches a trusted proxy (explicit list OR RFC 1918
+ *   private IP), use the **first** (leftmost) value from
+ *   `X-Forwarded-For` (the original client IP).
  * - Otherwise, use `socketAddr` directly (XFF is untrusted).
  * - Falls back to `"unknown"` if neither is available.
  */

package/dist/api/middleware/get-client-ip.js

@@ -14,19 +14,43 @@ export function parseTrustedProxies(envValue) {
 function normalizeIp(ip) {
     return ip.startsWith("::ffff:") ? ip.slice(7) : ip;
 }
+/**
+ * Check whether an IPv4 address is in an RFC 1918 private range or loopback.
+ * These are always behind a proxy in production (Docker, k8s, cloud VPCs)
+ * so trusting X-Forwarded-For from them is safe and expected.
+ *
+ * Ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8
+ */
+export function isPrivateIp(ip) {
+    const parts = ip.split(".");
+    if (parts.length !== 4)
+        return false;
+    const a = Number.parseInt(parts[0], 10);
+    const b = Number.parseInt(parts[1], 10);
+    if (a === 10)
+        return true;
+    if (a === 172 && b >= 16 && b <= 31)
+        return true;
+    if (a === 192 && b === 168)
+        return true;
+    if (a === 127)
+        return true;
+    return false;
+}
 // Parsed once at module load — no per-request overhead.
 const trustedProxies = parseTrustedProxies(process.env.TRUSTED_PROXY_IPS);
 /**
  * Determine the real client IP.
  *
- * - If `socketAddr` matches a trusted proxy, use the **first** (leftmost)
- *   value from `X-Forwarded-For` (the original client IP).
+ * - If `socketAddr` matches a trusted proxy (explicit list OR RFC 1918
+ *   private IP), use the **first** (leftmost) value from
+ *   `X-Forwarded-For` (the original client IP).
  * - Otherwise, use `socketAddr` directly (XFF is untrusted).
  * - Falls back to `"unknown"` if neither is available.
  */
 export function getClientIp(xffHeader, socketAddr, trusted = trustedProxies) {
     const normalizedSocket = socketAddr ? normalizeIp(socketAddr) : undefined;
-    if (xffHeader && normalizedSocket && trusted.has(normalizedSocket)) {
+    if (xffHeader && normalizedSocket && (trusted.has(normalizedSocket) || isPrivateIp(normalizedSocket))) {
         const parts = xffHeader.split(",");
         const first = parts[0]?.trim();
         if (first)

package/dist/api/middleware/rate-limit.d.ts

@@ -10,7 +10,7 @@
  */
 import type { Context, MiddlewareHandler } from "hono";
 import type { IRateLimitRepository } from "../rate-limit-repository.js";
-export { getClientIp, parseTrustedProxies } from "./get-client-ip.js";
+export { getClientIp, isPrivateIp, parseTrustedProxies } from "./get-client-ip.js";
 export interface RateLimitConfig {
     /** Maximum number of requests per window. */
     max: number;

package/dist/api/middleware/rate-limit.js

@@ -9,7 +9,7 @@
  * State is persisted via IRateLimitRepository (DB-backed in production).
  */
 import { getClientIpFromContext } from "./get-client-ip.js";
-export { getClientIp, parseTrustedProxies } from "./get-client-ip.js";
+export { getClientIp, isPrivateIp, parseTrustedProxies } from "./get-client-ip.js";
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -132,8 +132,12 @@ const CHANNEL_VALIDATE_LIMIT = { max: 10 };
 const FLEET_CREATE_LIMIT = { max: 30 };
 /** Fleet read operations (GET /fleet/*): 120 req/min */
 const FLEET_READ_LIMIT = { max: 120 };
-/** Default for everything else: 60 req/min */
-const DEFAULT_LIMIT = { max: 60 };
+/** Default for everything else: 200 req/min.
+ * A single Next.js page load triggers ~60-70 REST requests (sidebar, credits,
+ * session validation, marketplace, etc.). 60 was too low and caused users to
+ * hit rate limits on their first page load. Sensitive endpoints (auth, billing,
+ * signup) have their own stricter limits below. */
+const DEFAULT_LIMIT = { max: 200 };
 /** Auth login: 5 failed attempts per 15 minutes (WOP-839) */
 const AUTH_LOGIN_LIMIT = {
     max: 5,

package/dist/middleware/get-client-ip.d.ts

@@ -4,11 +4,20 @@ import type { Context } from "hono";
  * Returns an empty set if the value is undefined or empty.
  */
 export declare function parseTrustedProxies(envValue: string | undefined): Set<string>;
+/**
+ * Check whether an IPv4 address is in an RFC 1918 private range or loopback.
+ * These are always behind a proxy in production (Docker, k8s, cloud VPCs)
+ * so trusting X-Forwarded-For from them is safe and expected.
+ *
+ * Ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8
+ */
+export declare function isPrivateIp(ip: string): boolean;
 /**
  * Determine the real client IP.
  *
- * - If `socketAddr` matches a trusted proxy, use the **last** (rightmost)
- *   value from `X-Forwarded-For` (closest hop to the trusted proxy).
+ * - If `socketAddr` matches a trusted proxy (explicit list OR RFC 1918
+ *   private IP), use the **last** (rightmost) value from
+ *   `X-Forwarded-For` (closest hop to the trusted proxy).
  * - Otherwise, use `socketAddr` directly (XFF is untrusted).
  * - Falls back to `"unknown"` if neither is available.
  */

package/dist/middleware/get-client-ip.js

@@ -14,19 +14,43 @@ export function parseTrustedProxies(envValue) {
 function normalizeIp(ip) {
     return ip.startsWith("::ffff:") ? ip.slice(7) : ip;
 }
+/**
+ * Check whether an IPv4 address is in an RFC 1918 private range or loopback.
+ * These are always behind a proxy in production (Docker, k8s, cloud VPCs)
+ * so trusting X-Forwarded-For from them is safe and expected.
+ *
+ * Ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8
+ */
+export function isPrivateIp(ip) {
+    const parts = ip.split(".");
+    if (parts.length !== 4)
+        return false;
+    const a = Number.parseInt(parts[0], 10);
+    const b = Number.parseInt(parts[1], 10);
+    if (a === 10)
+        return true;
+    if (a === 172 && b >= 16 && b <= 31)
+        return true;
+    if (a === 192 && b === 168)
+        return true;
+    if (a === 127)
+        return true;
+    return false;
+}
 // Parsed once at module load — no per-request overhead.
 const trustedProxies = parseTrustedProxies(process.env.TRUSTED_PROXY_IPS);
 /**
  * Determine the real client IP.
  *
- * - If `socketAddr` matches a trusted proxy, use the **last** (rightmost)
- *   value from `X-Forwarded-For` (closest hop to the trusted proxy).
+ * - If `socketAddr` matches a trusted proxy (explicit list OR RFC 1918
+ *   private IP), use the **last** (rightmost) value from
+ *   `X-Forwarded-For` (closest hop to the trusted proxy).
  * - Otherwise, use `socketAddr` directly (XFF is untrusted).
  * - Falls back to `"unknown"` if neither is available.
  */
 export function getClientIp(xffHeader, socketAddr, trusted = trustedProxies) {
     const normalizedSocket = socketAddr ? normalizeIp(socketAddr) : undefined;
-    if (xffHeader && normalizedSocket && trusted.has(normalizedSocket)) {
+    if (xffHeader && normalizedSocket && (trusted.has(normalizedSocket) || isPrivateIp(normalizedSocket))) {
         // Trust XFF — take the rightmost (last) value
         const parts = xffHeader.split(",");
         const last = parts[parts.length - 1]?.trim();

package/dist/middleware/get-client-ip.test.js

@@ -1,5 +1,5 @@
 import { describe, expect, it } from "vitest";
-import { getClientIp, parseTrustedProxies } from "./get-client-ip.js";
+import { getClientIp, isPrivateIp, parseTrustedProxies } from "./get-client-ip.js";
 describe("parseTrustedProxies", () => {
     it("returns empty set for undefined", () => {
         expect(parseTrustedProxies(undefined).size).toBe(0);
@@ -14,6 +14,37 @@ describe("parseTrustedProxies", () => {
         expect(result.size).toBe(2);
     });
 });
+describe("isPrivateIp", () => {
+    it("identifies 10.x.x.x as private", () => {
+        expect(isPrivateIp("10.0.0.1")).toBe(true);
+        expect(isPrivateIp("10.255.255.255")).toBe(true);
+    });
+    it("identifies 172.16-31.x.x as private", () => {
+        expect(isPrivateIp("172.16.0.1")).toBe(true);
+        expect(isPrivateIp("172.18.0.5")).toBe(true);
+        expect(isPrivateIp("172.31.255.255")).toBe(true);
+    });
+    it("rejects 172.15.x.x and 172.32.x.x as non-private", () => {
+        expect(isPrivateIp("172.15.0.1")).toBe(false);
+        expect(isPrivateIp("172.32.0.1")).toBe(false);
+    });
+    it("identifies 192.168.x.x as private", () => {
+        expect(isPrivateIp("192.168.0.1")).toBe(true);
+        expect(isPrivateIp("192.168.1.100")).toBe(true);
+    });
+    it("identifies 127.x.x.x as private (loopback)", () => {
+        expect(isPrivateIp("127.0.0.1")).toBe(true);
+    });
+    it("rejects public IPs", () => {
+        expect(isPrivateIp("8.8.8.8")).toBe(false);
+        expect(isPrivateIp("1.2.3.4")).toBe(false);
+        expect(isPrivateIp("203.0.113.1")).toBe(false);
+    });
+    it("rejects non-IPv4 strings", () => {
+        expect(isPrivateIp("::1")).toBe(false);
+        expect(isPrivateIp("not-an-ip")).toBe(false);
+    });
+});
 describe("getClientIp", () => {
     it("returns socket address when no trusted proxies configured", () => {
         expect(getClientIp("attacker-spoofed", "1.2.3.4", new Set())).toBe("1.2.3.4");
@@ -37,4 +68,15 @@ describe("getClientIp", () => {
     it("returns 'unknown' when no socket and no XFF", () => {
         expect(getClientIp(undefined, undefined, new Set())).toBe("unknown");
     });
+    it("auto-trusts private IPs even without explicit trusted proxy set", () => {
+        expect(getClientIp("real-client", "172.18.0.5", new Set())).toBe("real-client");
+        expect(getClientIp("real-client", "192.168.1.1", new Set())).toBe("real-client");
+        expect(getClientIp("real-client", "10.0.0.1", new Set())).toBe("real-client");
+    });
+    it("auto-trusts IPv6-mapped private IPs", () => {
+        expect(getClientIp("real-client", "::ffff:172.18.0.5", new Set())).toBe("real-client");
+    });
+    it("does NOT auto-trust public IPs without explicit proxy config", () => {
+        expect(getClientIp("spoofed", "8.8.8.8", new Set())).toBe("8.8.8.8");
+    });
 });

package/dist/middleware/rate-limit.d.ts

@@ -10,7 +10,7 @@
  */
 import type { Context, MiddlewareHandler } from "hono";
 import type { IRateLimitRepository } from "./rate-limit-repository.js";
-export { getClientIp, parseTrustedProxies } from "./get-client-ip.js";
+export { getClientIp, isPrivateIp, parseTrustedProxies } from "./get-client-ip.js";
 export interface RateLimitConfig {
     /** Maximum number of requests per window. */
     max: number;

package/dist/middleware/rate-limit.js

@@ -9,7 +9,7 @@
  * State is persisted via IRateLimitRepository (DB-backed in production).
  */
 import { getClientIpFromContext } from "./get-client-ip.js";
-export { getClientIp, parseTrustedProxies } from "./get-client-ip.js";
+export { getClientIp, isPrivateIp, parseTrustedProxies } from "./get-client-ip.js";
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------

package/dist/middleware/rate-limit.test.js

@@ -196,11 +196,17 @@ describe("trusted proxy validation", () => {
     afterEach(() => {
         vi.useRealTimers();
     });
-    it("ignores X-Forwarded-For when TRUSTED_PROXY_IPS is not set", () => {
+    it("auto-trusts private IPs even when TRUSTED_PROXY_IPS is not set", () => {
         const trusted = parseTrustedProxies(undefined);
         expect(trusted.size).toBe(0);
+        // Private IPs are auto-trusted — XFF is used
         const ip = getClientIp("spoofed-ip", "192.168.1.100", trusted);
-        expect(ip).toBe("192.168.1.100");
+        expect(ip).toBe("spoofed-ip");
+    });
+    it("ignores X-Forwarded-For from public IPs when TRUSTED_PROXY_IPS is not set", () => {
+        const trusted = parseTrustedProxies(undefined);
+        const ip = getClientIp("spoofed-ip", "203.0.113.1", trusted);
+        expect(ip).toBe("203.0.113.1");
     });
     it("trusts X-Forwarded-For when socket address is in TRUSTED_PROXY_IPS", () => {
         const trusted = parseTrustedProxies("172.18.0.5,10.0.0.1");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wopr-network/platform-core",
-  "version": "1.42.0",
+  "version": "1.42.1",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/api/middleware/get-client-ip.ts

@@ -19,14 +19,34 @@ function normalizeIp(ip: string): string {
   return ip.startsWith("::ffff:") ? ip.slice(7) : ip;
 }
 
+/**
+ * Check whether an IPv4 address is in an RFC 1918 private range or loopback.
+ * These are always behind a proxy in production (Docker, k8s, cloud VPCs)
+ * so trusting X-Forwarded-For from them is safe and expected.
+ *
+ * Ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8
+ */
+export function isPrivateIp(ip: string): boolean {
+  const parts = ip.split(".");
+  if (parts.length !== 4) return false;
+  const a = Number.parseInt(parts[0], 10);
+  const b = Number.parseInt(parts[1], 10);
+  if (a === 10) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 127) return true;
+  return false;
+}
+
 // Parsed once at module load — no per-request overhead.
 const trustedProxies = parseTrustedProxies(process.env.TRUSTED_PROXY_IPS);
 
 /**
  * Determine the real client IP.
  *
- * - If `socketAddr` matches a trusted proxy, use the **first** (leftmost)
- *   value from `X-Forwarded-For` (the original client IP).
+ * - If `socketAddr` matches a trusted proxy (explicit list OR RFC 1918
+ *   private IP), use the **first** (leftmost) value from
+ *   `X-Forwarded-For` (the original client IP).
  * - Otherwise, use `socketAddr` directly (XFF is untrusted).
  * - Falls back to `"unknown"` if neither is available.
  */
@@ -37,7 +57,7 @@ export function getClientIp(
 ): string {
   const normalizedSocket = socketAddr ? normalizeIp(socketAddr) : undefined;
 
-  if (xffHeader && normalizedSocket && trusted.has(normalizedSocket)) {
+  if (xffHeader && normalizedSocket && (trusted.has(normalizedSocket) || isPrivateIp(normalizedSocket))) {
     const parts = xffHeader.split(",");
     const first = parts[0]?.trim();
     if (first) return first;

package/src/api/middleware/rate-limit.ts

@@ -13,7 +13,7 @@ import type { Context, MiddlewareHandler, Next } from "hono";
 import type { IRateLimitRepository } from "../rate-limit-repository.js";
 import { getClientIpFromContext } from "./get-client-ip.js";
 
-export { getClientIp, parseTrustedProxies } from "./get-client-ip.js";
+export { getClientIp, isPrivateIp, parseTrustedProxies } from "./get-client-ip.js";
 
 // ---------------------------------------------------------------------------
 // Types
@@ -202,8 +202,12 @@ const FLEET_CREATE_LIMIT: Omit<RateLimitConfig, "repo" | "scope"> = { max: 30 };
 /** Fleet read operations (GET /fleet/*): 120 req/min */
 const FLEET_READ_LIMIT: Omit<RateLimitConfig, "repo" | "scope"> = { max: 120 };
 
-/** Default for everything else: 60 req/min */
-const DEFAULT_LIMIT: Omit<RateLimitConfig, "repo" | "scope"> = { max: 60 };
+/** Default for everything else: 200 req/min.
+ * A single Next.js page load triggers ~60-70 REST requests (sidebar, credits,
+ * session validation, marketplace, etc.). 60 was too low and caused users to
+ * hit rate limits on their first page load. Sensitive endpoints (auth, billing,
+ * signup) have their own stricter limits below. */
+const DEFAULT_LIMIT: Omit<RateLimitConfig, "repo" | "scope"> = { max: 200 };
 
 /** Auth login: 5 failed attempts per 15 minutes (WOP-839) */
 const AUTH_LOGIN_LIMIT: Omit<RateLimitConfig, "repo" | "scope"> = {

package/src/middleware/get-client-ip.test.ts

@@ -1,5 +1,5 @@
 import { describe, expect, it } from "vitest";
-import { getClientIp, parseTrustedProxies } from "./get-client-ip.js";
+import { getClientIp, isPrivateIp, parseTrustedProxies } from "./get-client-ip.js";
 
 describe("parseTrustedProxies", () => {
   it("returns empty set for undefined", () => {
@@ -18,6 +18,44 @@ describe("parseTrustedProxies", () => {
   });
 });
 
+describe("isPrivateIp", () => {
+  it("identifies 10.x.x.x as private", () => {
+    expect(isPrivateIp("10.0.0.1")).toBe(true);
+    expect(isPrivateIp("10.255.255.255")).toBe(true);
+  });
+
+  it("identifies 172.16-31.x.x as private", () => {
+    expect(isPrivateIp("172.16.0.1")).toBe(true);
+    expect(isPrivateIp("172.18.0.5")).toBe(true);
+    expect(isPrivateIp("172.31.255.255")).toBe(true);
+  });
+
+  it("rejects 172.15.x.x and 172.32.x.x as non-private", () => {
+    expect(isPrivateIp("172.15.0.1")).toBe(false);
+    expect(isPrivateIp("172.32.0.1")).toBe(false);
+  });
+
+  it("identifies 192.168.x.x as private", () => {
+    expect(isPrivateIp("192.168.0.1")).toBe(true);
+    expect(isPrivateIp("192.168.1.100")).toBe(true);
+  });
+
+  it("identifies 127.x.x.x as private (loopback)", () => {
+    expect(isPrivateIp("127.0.0.1")).toBe(true);
+  });
+
+  it("rejects public IPs", () => {
+    expect(isPrivateIp("8.8.8.8")).toBe(false);
+    expect(isPrivateIp("1.2.3.4")).toBe(false);
+    expect(isPrivateIp("203.0.113.1")).toBe(false);
+  });
+
+  it("rejects non-IPv4 strings", () => {
+    expect(isPrivateIp("::1")).toBe(false);
+    expect(isPrivateIp("not-an-ip")).toBe(false);
+  });
+});
+
 describe("getClientIp", () => {
   it("returns socket address when no trusted proxies configured", () => {
     expect(getClientIp("attacker-spoofed", "1.2.3.4", new Set())).toBe("1.2.3.4");
@@ -46,4 +84,18 @@ describe("getClientIp", () => {
   it("returns 'unknown' when no socket and no XFF", () => {
     expect(getClientIp(undefined, undefined, new Set())).toBe("unknown");
   });
+
+  it("auto-trusts private IPs even without explicit trusted proxy set", () => {
+    expect(getClientIp("real-client", "172.18.0.5", new Set())).toBe("real-client");
+    expect(getClientIp("real-client", "192.168.1.1", new Set())).toBe("real-client");
+    expect(getClientIp("real-client", "10.0.0.1", new Set())).toBe("real-client");
+  });
+
+  it("auto-trusts IPv6-mapped private IPs", () => {
+    expect(getClientIp("real-client", "::ffff:172.18.0.5", new Set())).toBe("real-client");
+  });
+
+  it("does NOT auto-trust public IPs without explicit proxy config", () => {
+    expect(getClientIp("spoofed", "8.8.8.8", new Set())).toBe("8.8.8.8");
+  });
 });

package/src/middleware/get-client-ip.ts

@@ -19,14 +19,34 @@ function normalizeIp(ip: string): string {
   return ip.startsWith("::ffff:") ? ip.slice(7) : ip;
 }
 
+/**
+ * Check whether an IPv4 address is in an RFC 1918 private range or loopback.
+ * These are always behind a proxy in production (Docker, k8s, cloud VPCs)
+ * so trusting X-Forwarded-For from them is safe and expected.
+ *
+ * Ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8
+ */
+export function isPrivateIp(ip: string): boolean {
+  const parts = ip.split(".");
+  if (parts.length !== 4) return false;
+  const a = Number.parseInt(parts[0], 10);
+  const b = Number.parseInt(parts[1], 10);
+  if (a === 10) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 127) return true;
+  return false;
+}
+
 // Parsed once at module load — no per-request overhead.
 const trustedProxies = parseTrustedProxies(process.env.TRUSTED_PROXY_IPS);
 
 /**
  * Determine the real client IP.
  *
- * - If `socketAddr` matches a trusted proxy, use the **last** (rightmost)
- *   value from `X-Forwarded-For` (closest hop to the trusted proxy).
+ * - If `socketAddr` matches a trusted proxy (explicit list OR RFC 1918
+ *   private IP), use the **last** (rightmost) value from
+ *   `X-Forwarded-For` (closest hop to the trusted proxy).
  * - Otherwise, use `socketAddr` directly (XFF is untrusted).
  * - Falls back to `"unknown"` if neither is available.
  */
@@ -37,7 +57,7 @@ export function getClientIp(
 ): string {
   const normalizedSocket = socketAddr ? normalizeIp(socketAddr) : undefined;
 
-  if (xffHeader && normalizedSocket && trusted.has(normalizedSocket)) {
+  if (xffHeader && normalizedSocket && (trusted.has(normalizedSocket) || isPrivateIp(normalizedSocket))) {
     // Trust XFF — take the rightmost (last) value
     const parts = xffHeader.split(",");
     const last = parts[parts.length - 1]?.trim();

package/src/middleware/rate-limit.test.ts

@@ -272,12 +272,19 @@ describe("trusted proxy validation", () => {
     vi.useRealTimers();
   });
 
-  it("ignores X-Forwarded-For when TRUSTED_PROXY_IPS is not set", () => {
+  it("auto-trusts private IPs even when TRUSTED_PROXY_IPS is not set", () => {
     const trusted = parseTrustedProxies(undefined);
     expect(trusted.size).toBe(0);
 
+    // Private IPs are auto-trusted — XFF is used
     const ip = getClientIp("spoofed-ip", "192.168.1.100", trusted);
-    expect(ip).toBe("192.168.1.100");
+    expect(ip).toBe("spoofed-ip");
+  });
+
+  it("ignores X-Forwarded-For from public IPs when TRUSTED_PROXY_IPS is not set", () => {
+    const trusted = parseTrustedProxies(undefined);
+    const ip = getClientIp("spoofed-ip", "203.0.113.1", trusted);
+    expect(ip).toBe("203.0.113.1");
   });
 
   it("trusts X-Forwarded-For when socket address is in TRUSTED_PROXY_IPS", () => {

package/src/middleware/rate-limit.ts

@@ -13,7 +13,7 @@ import type { Context, MiddlewareHandler, Next } from "hono";
 import { getClientIpFromContext } from "./get-client-ip.js";
 import type { IRateLimitRepository } from "./rate-limit-repository.js";
 
-export { getClientIp, parseTrustedProxies } from "./get-client-ip.js";
+export { getClientIp, isPrivateIp, parseTrustedProxies } from "./get-client-ip.js";
 
 // ---------------------------------------------------------------------------
 // Types